“What keeps you up at night?”
It’s a question that has been posed numerous times to healthcare information and security leaders — one that has no correct answer. From the myriad devices that find their way into the network to the phishing scams that become more sophisticated by the minute, there are countless scenarios that can cause sleeplessness.
But for today’s information security expert, who has emerged from the shadow to become a key part of the leadership team, perhaps a better question is, “What gets you out of bed in the morning?” For many CISOs, it’s not avoiding a crisis that drives their teams, but safeguarding data — and most importantly, patients.
Recently, healthsystemCIO hosted a panel discussion with three of the top CISOs in the industry: Sri Bharadwaj of UC Irvine Health, Ronald Mehring of Texas Health Resources, and Anahi Santiago of ChristianaCare. As expected, there was no shortage of takeaways on how organizations can create a more comprehensive, effective cybersecurity strategy.
Perhaps the best place to start is by asking why healthcare is targeted so often. According to the panelists, there are two primary reasons. First, the information itself is extremely valuable, whether it’s clinical trial data, financial records, or information about a famous patient. Second, the environment is fast-paced and chaotic, which makes it easier for mistakes to occur — and as a result, more appealing to bad actors.
And as threats become increasingly sophisticated, it will become more challenging. But although there are no foolproof plans, there are several steps healthcare IT leaders can take to prevent attacks from happening, or mitigate the damage in the event of a breach.
Keep a catalogue
At Texas Health Resources, the IT security team maintains a “threat scenario catalogue” that identifies the key areas of concern, such as targeted phishing, social engineering, third-party compromise, legacy and device vulnerabilities, and zero-day attacks. “We manage through the high-risk threat scenarios, and then deal with the everyday risks as well,” said Mehring.
“We’re the only industry where insider threats are the biggest cause of breaches,” noted Anahi Santiago.
In addition, healthcare organizations must contend with nation-state hackers looking to enter the network.
Know the enemy
Although there are myriad threats, as Mehring pointed out, the most dangerous is ransomware. Not just because it can put organizations in an unenviable situation, but because the software itself is “constantly evolving,” he said. “There are different strands and vectors of ransomware.” And while the intent is always the same, the way in which it inserts itself into a system is ever-changing.
Battling a community
What’s even more alarming is that when it comes to ransomware attacks, CISOs aren’t contending with a single individual, but rather a “community of bad actors,” said Santiago. And this particular community is excellent at collaborating using the “vast resources” available through the dark web. “It’s a multi-million dollar industry.”
Arming your troops
It’s also an industry that preys on providers who are far more focused on caring for patients and saving lives than on scrutinizing emails. “They don’t have time to stop themselves from clicking on a link,” Santiago noted. That’s where education comes in.
“We have to protect our employees and our patients, and make sure they have the right level of knowledge on how to use applications and computer systems,” said Bharadwaj. And when they do falter — because many will fail phishing tests, even C-suite members — the emphasis should be on increasing awareness, and not on punishing wrong-doers, he added. “It’s not about tools and technology; it’s about people.”
When mistakes are made, individuals need to know they can — and must — approach leadership immediately. “Human beings can’t know every threat,” said Bharadwaj. “But if they believe they’ve been impacted, they need to come to us so we can help them navigate.” And that means reserving judgment and zeroing in on how to deal with the issue at hand.
Testing, testing, testing
Readiness evaluations are always a good idea, but leaders need to take it a step further and conduct, “Well thought-out, practical exercises that address the issues around maintaining the safety and privacy of both consumers and caregivers,” said Mehring. One method is through penetration testing, which is often outsourced due to the difficulties in maintaining it. However, he believes the space is evolving to the point where more organizations will be able to insource testing and fully automate it so that it integrates with operations.
Preparation is everything
As more devices penetrate the environment, having a “strong, structured incident response plan” is becoming a minimum requirement, said Bharadwaj. He believes CISOs and other leaders need to bring attorneys and marketing and communications teams into the discussion, and should reach out to agencies like the FBI to share knowledge.
Don’t reinvent the wheel
Security and technology leaders need to makes sure the response plan integrates with that of the health system — not just to ensure alignment, but to better allocate resources. “We should be leveraging crisis plans, not rewriting them,” said Santiago. “We’re all working on this. There’s no need to reinvent the wheel.”
Embrace the new role
Gone are the days when IT security professionals were confined to the basement. Now, “you have to be in front of the board — not just presenting, but having important conversations,” said Bharadwaj. He believes today’s CISO needs to embody similar qualities as other healthcare executives, including a willingness to engage and a desire to innovate.
Santiago agreed, adding that one of the most important aspects of the IS leader’s role is to empower others to make informed decisions on how to manage risk and how to proceed after a breach.
“My role is to move the needle forward, but I’m not the sole decision-maker.”
To view the archive of our webinar — The State of Security: The Latest Threats, Defenses & Policy Developments — click here.